Defeat the Google Redirect Virus

A reader asks: Every time I search on Google and click one of the results, my web browser gets hijacked. I think I have a virus, but I can't even search for help on Google! Do you know about this, and is there a free tool I can use to fix the problem?

What is Google Redirect?

If you click on a link in a Google search result and get taken to a totally unexpected Web page, you may well have a malware problem. Google Redirect Malware is malicious software that redirects all of your Google search clicks to pages that serve up ads, more malware, phony anti-malware programs, etc. It can be extremely frustrating because you can’t search Google for a solution. It’s also very dangerous because it usually does much more bad than simply messing up your Google searches.

Google Redirect distracts the user with bizarre search result redirections, while in the background it may be collecting passwords and other sensitive data, using your computer to send spam, and letting remote bad guys do whatever they wish with your system.

Despite the name, Google Redirect malware is not a bug in any Google service. It’s a malware infection that resides on your computer, and was created by cybercriminals. It doesn’t matter which Web browser you use; all of your Google searches will be redirected. The only solution is to track down and eliminate the malware on your hard drive.

Google Redirect spreads when users are tricked into downloading malicious programs or clicking unsafe links in email. And unfortunately, Google Redirect is no ordinary malware. Some anti-malware programs miss it, because Google Redirect is a rootkit package that hides among your system files. For details about rootkits and why they are so hard to remove, see my article, I Think I Have a Rootkit!

Eradicating the Google Redirect Malware

Defeating the Google Redirect virus usually requires specialized rootkit-removal software. You may want to download some of these toolkits now, and store them on secure media such as a USB flash drive or a CD. After all, when you need them you won’t be able to use Google to find them!

Kaspersky Labs’ TDSSKiller detects and removes a variety of stubborn malware, including the TDSS rootkit that underpins many variants of Google Redirect. It’s GUI is simple enough for non-technical users to follow safely. Just unzip the download file, run the program, and scan for malware. It works on 32-bit and 64-bit Windows systems, and can be used in Normal or Safe mode.

Norton Power Eraser can also detect and remove rootkits like Google Redirect. It aggressively scans for rootkits and tags suspect files for review by the user. It should be used with caution; eradicating the wrong system file can lock up your computer. Power Eraser runs on Windows XP, Vista, and Windows 7, and can be used in Normal or Safe mode.

I strongly advise you to create a System Restore Point before running either of these programs. That way, if you eradicate the wrong file(s), you can restore your system to its previous state and try again. If you're not familiar with System Restore, see my article Time Travel with System Restore to learn how it works.

Have you been affected by the Google Redirect malware? Tell me if you found another way to solve the problem.

Most recent comments on "Defeat the Google Redirect Virus"

Ummm ... why use Google search at all? I never have trusted their "benevolence" very far, so I use a filtered search - AVG Secure Search, to be specific, but there are others.

Even so, a good rootkit scan on occasion is an appropriate step. You never know until you check ...

Posted by:
RaoulDuke5244
22 Aug 2012

Does Google Redirect or any variant of it affect Apple Macs or Linux, etc.? It would be helpful to state at the beginning of the article if just Windows is affected or if other OS's too.

Posted by:
Les Marsden
22 Aug 2012

Bob - your timing and advice could not have been any more PERFECT! A couple days ago one of my machines began displaying this re-direct behavior and despite in-depth searches by a couple of my (full, paid-for) long-installed protection programs (*which will remain nameless...) the behavior continued. I had JUST began to search for cures when your e-mail arrived this morning, I applied the Kaspersky TDSSKiller and BINGO: found AND destroyed. Immediately. Thank YOU, Bob - (and thanks too, Kaspersky - which may end up replacing my other programs.)

Posted by:
WilliamBonney
22 Aug 2012

Dear Bob,

Just finished reading your article on the Google Redirect issue. Would having a good A.V. such as Avast and Malwarebytes updating and running them religiously help with this problem? Personally I don't like or use "Giggle" with their abominable behavior. Thanks and a reply would be greatly appreciated.

WilliamBonney

Posted by:
Jacob
22 Aug 2012

about the Defeat the Google Redirect Virus.
Times ago i had the same problem, my solution:
Replace the atapi.sys file but.....
This is the most infected driver for XP SP3 (SP2 and SP1 needs an different version)
For instans, Virus Win32/patched.ch is located here.
You can't replace this file at the orginal location, because
it is a must for running XP, it wil crash your system by replacing under XP.
You have to boot from a CD and run an external XP (Barts PE, or UBCD4Windows)
In this environment you can copy the ATAPI.SYS to the orginal location
C:\Windows\System32|Drivers

Posted by:
Eddie
22 Aug 2012

Bob, thanks for this article. Will look at Kapersky's. On the other hand, I downloaded the Norton Eraser and somehow, SOMEHOW on a computer running XP it was set up to reboot and get rid of rootkit and it did not reboot! It got rid of a system 32 something and the computer would not reboot! Seriously! :-) I had used it before, successfully on a computer with Vista, so I don't know what happened. So, please, Bob advise users to beware. I had to have the computer fixed by a professional. Thanks Bob.

Posted by:
Wendyl
22 Aug 2012

For months I have been having constant pop ups and incessant redirects on several websites that I view daily. It was always a nuisance to have to close out the pop ups or have to go back to the original website page after being redirected to another, if not totally unrelated, page.

After reading your article, I first downloaded and ran Kaspersky Labs' TDSSKiller without any results. Then I downloaded and ran Norton's Power Eraser and it found and "erased" the two offending culprits. I very happy to report that I haven't had any problems since! Thank you Bob. You've definitely made my day!

Posted by:
Lori
22 Aug 2012

I'm not very techie, so this is probably a stupid question but couldn't it work to just go to System Restore and go back to a date that they know was working well before you try anything else?

Posted by:
JOHN
22 Aug 2012

Ok:
You caught my attention with Go To Meeting in the article posted Aug 22, the GTM was running by itself yesterday, but it was too late.
I downloaded the latest trial of Malware, but it is not helping.
Your suggestion to use ROOTKIT may be an alternative, but I unfamiliar. Is there there additional information to help with confiming this toll for repair?
John . . . . Thanks in advance for your help.

Posted by:
Malvina
23 Aug 2012

I had the dreaded redirect virus about six weeks ago. After trying unsuccessfully to eradicate it myself, I posted my issue at bleepingcomputer.com, and one of their trained volunteers walked me through the removal process. It took a couple of days to go through the whole process, but it's gone now. Their service is free, although I was so happy to get rid of it, I voluntarily donated. If you're struggling with this, I recommend their site. I spent two weeks spinning my wheels - should have asked for help right away...

Posted by:
Buffet
23 Aug 2012

Just ANOTHER good reason I NEVER use google anything!!
Thanks once again for the latest, up to date 411.

Posted by:
Bill
23 Aug 2012

Bob:
You're right. This is nasty, frustrating stuff for the reasons you mention. I had to purge this rootkit from a friend's Windows XP box recently, and ended up lugging her computer home for a day while I researched the issue on my Mac mini.

Someone or something had disabled Windows Security Essentials on that box, which created a window of opportunity for the malware masters. Bookmark this article, people, and do as Bob suggests!

Posted by:
Avery
27 Aug 2012

Bob,
I just want to thank you for helping me get rid of something very similar. Something, like an update running in the background, would run every morning and it took forever to do anything else until it was done. I also had that "click on a link and it takes you somewhere else" thing. I'd have to close it out and start all over. I also kept getting little popups on the lower R. corner of my monitor. I could close them OK but they were just irritating. I ran the Malwarebytes program, Microsoft Security Essentials. Didn't help. After running both of the programs you provided, the problem is gone!!!! Thanks again.

Posted by:
Helene
01 Sep 2012

What a timely article! I have been struggling with redirection for over a month... have tried over a dozen "recommended" fixes... none even recognized the trojan until I tried "ESET Online Virus Scanner" (best used with IE)... so far so good. If you haven't been successful with removal of JS/Redirector.NIQ I suggest you give it a try. Thanks for the inspiration.

Posted by:
John
27 Sep 2012

Google Redirect malware?
Malwarebites Anti-Malware
Worked for me.

Posted by:
Miniver
28 Nov 2012

I tried everything on like 10 different sites then just gave up and asked my son. He sent me to http://bit.ly/b.o.g.u.s. After spending hours doing all of the things that random guides on the internet gave me, they had my laptop clean and working great in 20 minutes.

EDITOR'S NOTE: Nice try, but your scammy Clickbank affiliate link isn't going to get published here. No need to buy a $29 product for this -- just read the article and follow instructions.

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.